SlideShare a Scribd company logo

(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development

Priyanka Aash
Priyanka Aash

Dr. Soumyo Maity and Lokesh Balu from Dell Technologies presented a new control-based approach to threat modeling at SACON 2020 in Bangalore, India. Their approach maps threats identified through traditional techniques like STRIDE directly to security controls. This makes threat modeling more scalable, developer-centric, and integrated with the software development lifecycle. A case study demonstrated how identifying threats based on failed security controls can complement traditional threat modeling. The control-based approach was presented as an effective way to address challenges of complexity, resources, and agility in modern software development.

1 of 39
SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur A Scalable, Control-based, Developer-centric Threat Modeling for Secure Software Development Dr. Soumyo Maity, And Lokesh Balu Dell Technologies Principal & Senior Principal Engineer
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 • The process of determining • the range of potential security threats, • the risks associated with them, and • the appropriate risk responses … at design time. (Identify design- and architecture- level security problems) • Threat modeling = the process • Threat model = result of the process Threat Model 101
SACON 2020 • Produce software that’s secure by design • Because attackers think differently • Creator blindness/new perspective • Find problems when there’s time to fix them • Predictably and effectively find security problems early in the process Why do Threat Model? “Bad guys will do it later if the good guys are lazy”
SACON 2020 How to do Threat Model Assets to protect Threats to consider Objective s to meet Requirement s to implemen t Risks to evaluate Controls to Implemen t Monitor for Gaps STRIDE DREAD PASTA LINDDUN Attack Tree
SACON 2020 STRIDE • Illegally accessing and then using another user's authentication informationSpoofing identity • Malicious modification • Unauthorized changesTampering with data • Deny performing an malicious action • Inability of a system to counter repudiation threatsRepudiation • Exposure of information to individuals not supposed to accessInformation disclosure • Deny service to valid users • Threats to system availability and reliabilityDenial of service • Unprivileged user gains privileged access to compromise system • Effectively penetrated and become part of the trusted systemElevation of privilege
SACON 2020 PASTA (Process for Attack Simulation and Threat Analysis) • Identify inherent application risk profile and address other business impactDefine Business Context • Identify bottlenecks in technology stackDefine Technology Scope • Focus on understanding the data flows amongst application components and servicesApplication Decomposition • Review threat assertions from data within environment and deployment modelThreat Analysis • Identify the vulnerabilities and weaknesses within the application design and code Weakness / Vulnerability Identification • Focus on emulating attacks that could exploit identified weaknesses/ vulnerabilitiesAttack Simulation • Remediate vulnerabilities or weaknesses in code or designResidual Risk Analysis
SACON 2020 DREAD • how bad would an attack be?Damage • how easy is it to reproduce the attack?Reproducibility • how much work is it to launch the attack?Exploitability • how many people will be impacted?Affected users • how easy is it to discover the threat?Discoverability
SACON 2020 LINDDUN (Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance) • High Level System DescriptionDefine DFD • Map LINDDUN with DFDMap Privacy • Privacy Threat Patterns in form of treeIdentify Threat Scenarios • Risk assessment techniquesPrioritize Threat • Map privacy threat to requirementElicit Privacy Threat • Select Privacy Enhancing TechnologiesMitigation Strategy
SACON 2020 Attack Tree Attack Goal Attack Objective 1 Attack Objective 2 Attack Objective 3 Attack Method 1 Attack Method 2 Asset Attack 1 Asset Attack 2 Asset Attack 3 Asset Attack 2 Asset Attack 4 AND OR
SACON 2020 • One thing common in all conventional Threat Models • Threat Library based approach • Threat Library is: • Too cryptic for the developers • Threats are not directly mapped with an action / activity • Usually static • There are tools: • But, with limitation • Costly • Requires skill to configure as per business need Threat Library Based Approach
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 Scalability • Modeling Threat is no easy job • Who cares for security expert’s jargon? • Too conceptual, abstract and prescriptive • Architecture is becoming more and more complex • Considering supply chain - a mammoth task • Security skill resource gap • Development is becoming more and more agile – DevOps
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 What is a Security Control? Reference : ISO 27034 CONTROLS: Methods, policies, procedures to protect • assets • accuracy & reliability of records • adherence to management standards
SACON 2020 Control Catalog Reference : ISO 27034
SACON 2020 OWASP Top 10 Security Controls • C1: Define Security Requirements • C2: Leverage Security Frameworks and Libraries • C3: Secure Database Access • C4: Encode and Escape Data • C5: Validate All Inputs • C6: Implement Digital Identity • C7: Enforce Access Controls • C8: Protect Data Everywhere • C9: Implement Security Logging and Monitoring • C10: Handle All Errors and Exceptions
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 The Process Flow Threats ControlVerifyVerification Activities Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE TVC Triad Control Catalog, ANF
SACON 2020 The Revised Process Flow Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
SACON 2020 The Revised Process Flow with Update Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
SACON 2020 What does that mean? • Let’s talk in developer’s language – Instead of non-repudiation tell them, “hey, use digital signature” – Instead of saying tampering or MITM, tell them “Secure data transport via TLS 1.2” – Etc. • Threat Library and Control Catalog do not have 1-1 mapping • Give a finite set of controls. Make it complete, sound and correct • Failure of a control = Threat
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 How the Control-based approach helps? • Less dependency on Security experts • Can be automated, integrated to pipeline • Faster • Standard • Adaptive and Dynamic • Complements traditional threat models – Still you need them for high value products in design phase
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 Illustrative Example
SACON 2020 Microsoft TM Tool Report
SACON 2020 Manual Threat Model • Whiteboard – With all the stakeholders
SACON 2020 Manual Threat Model • Threat Library – A list of all possible threats ▪ Attacks on Incomplete Mediation ▪ Attacks on Certificate Validation ▪ Privilege Escalation Attacks ▪ Attacks on Insecure Cryptography ▪ Attacks on Network Communications ▪ Attacks on Secrets ▪ Attacks on Weak Session Management ▪ Attacks on Web Interfaces ▪ Attacks on Web Services ▪ Attacks on Objects ▪ Injection Attacks ▪ Buffer Overflow Attacks ▪ File Upload Attacks ▪ Denial of Service Attacks ▪ Attacks on Installation Packages/Update ▪ Attacks on Security Misconfigurations ▪ Attacks on Audit Logs ▪ Attacks on Embedded Components ▪ Attacks on Datastores
SACON 2020 Manual Threat Model ▪ Attacks on Incomplete Mediation ▪ Unrestricted access ▪ Authentication downgrade ▪ Authorization bypass ▪ Tampering through filesystem access ▪ Client bypass ▪ Process spoofing ▪ Weak access controls ▪ Capture/replay attacks ▪ Tampering in transit • Threat Library – A list of all possible threats
SACON 2020 Manual Report Unique Threat Identifier Free Form Threat Identifier Element(s) involved in the threat Base Metrics (CVSSv3)  Base Metrics CVSSv3 vector   Detailed explanation of “use case” constructed to calculate the CVSSv3 score Threat Library Identifier, CWE  Technical description of the threat Risk Registry Index (If a risk registry exists for the product)   Threat Status: Known/Unknown Planned resolution  Technical Mitigation Business Mitigation  
SACON 2020 Control Based Approach
SACON 2020 Control to Threat Map • Instead of Threat Library Let us identify threats by using Control Cata • Example, for a threat Cross-Site Scripting Controls Threat Web Security Testing (DAST) Cross-site scripting Static analysis using a tool that is able to discover XSS issues in the languages utilized Cross-site scripting Perform test for reflected cross-site scripting. Cross-site scripting Perform test for stored cross-site scripting. Cross-site scripting A standard convention to mitigate these threats is agreed upon by the development team and is strictly enforced by coding conventions Cross-site scripting Penetration Test Cross-site scripting
SACON 2020 The approach is • Scalable • Control-based • Developer centric • Effective • Secure
SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
SACON 2020 Key Insights 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach • STRIDE technique may be good in enumerating the threats however does not aid in developing countermeasures / mitigation plan • Attack Tree provides an overview about the attack surface at some level of abstraction which results in not capturing data essential for understanding the threat scenario. • Attack Library may provide information about the attack vectors and be suitable as checklist model, it may not contribute to the completeness we expect in the exercise.
SACON 2020 Takeaways • Utilize a combination of each of these techniques to perform the various activities in the threat modelling process • Critical success factors for the threat modelling exercise lies in adopting a structured approach • Adopt flipped model : Strive for control centric approach 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach
SACON 2020 Thank you!

Recommended

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
Priyanka Aash
 
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
Priyanka Aash
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
Priyanka Aash
 
(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust
Priyanka Aash
 

Recommended

(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
(SACON 2020) Practical Exploitation of IoT Networks and Ecosystems workshop
Priyanka Aash
 
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
(SACON) Satish Sreenivasaiah - DevSecOps Tools and Beyond
Priyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
Priyanka Aash
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
(SACON) Apoorv Raj Saxena - Hacking and Securing Kubernetes and Dockers in Cl...
Priyanka Aash
 
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
(SACON) Dr. James Stanger - Surfing today’s emerging tech: A policy-based app...
Priyanka Aash
 
(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust(SACON) Vandana Verma - Living In A World of Zero Trust
(SACON) Vandana Verma - Living In A World of Zero Trust
Priyanka Aash
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
Priyanka Aash
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
e-Xpert Solutions SA
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring Framework
Yusuf Hadiwinata Sutandar
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
Check Point Software Technologies
 
2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report
Check Point Software Technologies
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
Check Point Software Technologies
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
Priyanka Aash
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
AlgoSec
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
Priyanka Aash
 
SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)
Priyanka Aash
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Priyanka Aash
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
Zscaler
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 

More Related Content

What's hot

SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
Priyanka Aash
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
Kyle Lai
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
e-Xpert Solutions SA
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring Framework
Yusuf Hadiwinata Sutandar
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
Check Point Software Technologies
 
2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report
Check Point Software Technologies
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
SBWebinars
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
Check Point Software Technologies
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
Priyanka Aash
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
AlgoSec
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
Priyanka Aash
 
SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)
Priyanka Aash
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Priyanka Aash
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
Zscaler
 

What's hot (20)

SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting(SACON) Anant Shrivastava - cloud pentesting
(SACON) Anant Shrivastava - cloud pentesting
 
SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring Framework
 
Check Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure WebinarCheck Point vSEC for Microsoft Azure Webinar
Check Point vSEC for Microsoft Azure Webinar
 
2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
 
SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
 

Similar to (SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
AlgoSec
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
Mayur Mehta
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 

Similar to (SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in ics
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer-centric Threat Modeling for secure software development

  • 1. SACON SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur A Scalable, Control-based, Developer-centric Threat Modeling for Secure Software Development Dr. Soumyo Maity, And Lokesh Balu Dell Technologies Principal & Senior Principal Engineer
  • 2. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 3. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 4. SACON 2020 • The process of determining • the range of potential security threats, • the risks associated with them, and • the appropriate risk responses … at design time. (Identify design- and architecture- level security problems) • Threat modeling = the process • Threat model = result of the process Threat Model 101
  • 5. SACON 2020 • Produce software that’s secure by design • Because attackers think differently • Creator blindness/new perspective • Find problems when there’s time to fix them • Predictably and effectively find security problems early in the process Why do Threat Model? “Bad guys will do it later if the good guys are lazy”
  • 6. SACON 2020 How to do Threat Model Assets to protect Threats to consider Objective s to meet Requirement s to implemen t Risks to evaluate Controls to Implemen t Monitor for Gaps STRIDE DREAD PASTA LINDDUN Attack Tree
  • 7. SACON 2020 STRIDE • Illegally accessing and then using another user's authentication informationSpoofing identity • Malicious modification • Unauthorized changesTampering with data • Deny performing an malicious action • Inability of a system to counter repudiation threatsRepudiation • Exposure of information to individuals not supposed to accessInformation disclosure • Deny service to valid users • Threats to system availability and reliabilityDenial of service • Unprivileged user gains privileged access to compromise system • Effectively penetrated and become part of the trusted systemElevation of privilege
  • 8. SACON 2020 PASTA (Process for Attack Simulation and Threat Analysis) • Identify inherent application risk profile and address other business impactDefine Business Context • Identify bottlenecks in technology stackDefine Technology Scope • Focus on understanding the data flows amongst application components and servicesApplication Decomposition • Review threat assertions from data within environment and deployment modelThreat Analysis • Identify the vulnerabilities and weaknesses within the application design and code Weakness / Vulnerability Identification • Focus on emulating attacks that could exploit identified weaknesses/ vulnerabilitiesAttack Simulation • Remediate vulnerabilities or weaknesses in code or designResidual Risk Analysis
  • 9. SACON 2020 DREAD • how bad would an attack be?Damage • how easy is it to reproduce the attack?Reproducibility • how much work is it to launch the attack?Exploitability • how many people will be impacted?Affected users • how easy is it to discover the threat?Discoverability
  • 10. SACON 2020 LINDDUN (Linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance) • High Level System DescriptionDefine DFD • Map LINDDUN with DFDMap Privacy • Privacy Threat Patterns in form of treeIdentify Threat Scenarios • Risk assessment techniquesPrioritize Threat • Map privacy threat to requirementElicit Privacy Threat • Select Privacy Enhancing TechnologiesMitigation Strategy
  • 11. SACON 2020 Attack Tree Attack Goal Attack Objective 1 Attack Objective 2 Attack Objective 3 Attack Method 1 Attack Method 2 Asset Attack 1 Asset Attack 2 Asset Attack 3 Asset Attack 2 Asset Attack 4 AND OR
  • 12. SACON 2020 • One thing common in all conventional Threat Models • Threat Library based approach • Threat Library is: • Too cryptic for the developers • Threats are not directly mapped with an action / activity • Usually static • There are tools: • But, with limitation • Costly • Requires skill to configure as per business need Threat Library Based Approach
  • 13. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 14. SACON 2020 Scalability • Modeling Threat is no easy job • Who cares for security expert’s jargon? • Too conceptual, abstract and prescriptive • Architecture is becoming more and more complex • Considering supply chain - a mammoth task • Security skill resource gap • Development is becoming more and more agile – DevOps
  • 15. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 16. SACON 2020 What is a Security Control? Reference : ISO 27034 CONTROLS: Methods, policies, procedures to protect • assets • accuracy & reliability of records • adherence to management standards
  • 18. SACON 2020 OWASP Top 10 Security Controls • C1: Define Security Requirements • C2: Leverage Security Frameworks and Libraries • C3: Secure Database Access • C4: Encode and Escape Data • C5: Validate All Inputs • C6: Implement Digital Identity • C7: Enforce Access Controls • C8: Protect Data Everywhere • C9: Implement Security Logging and Monitoring • C10: Handle All Errors and Exceptions
  • 19. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 20. SACON 2020 The Process Flow Threats ControlVerifyVerification Activities Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE TVC Triad Control Catalog, ANF
  • 21. SACON 2020 The Revised Process Flow Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
  • 22. SACON 2020 The Revised Process Flow with Update Threats ControlVerify Control Catalog, ANF Scans, Manual Testing etc. TVC Triad Threat Intelligence, PSIRT, CSIRT, CWE, ATT&CK, CVE
  • 23. SACON 2020 What does that mean? • Let’s talk in developer’s language – Instead of non-repudiation tell them, “hey, use digital signature” – Instead of saying tampering or MITM, tell them “Secure data transport via TLS 1.2” – Etc. • Threat Library and Control Catalog do not have 1-1 mapping • Give a finite set of controls. Make it complete, sound and correct • Failure of a control = Threat
  • 24. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 25. SACON 2020 How the Control-based approach helps? • Less dependency on Security experts • Can be automated, integrated to pipeline • Faster • Standard • Adaptive and Dynamic • Complements traditional threat models – Still you need them for high value products in design phase
  • 26. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 28. SACON 2020 Microsoft TM Tool Report
  • 29. SACON 2020 Manual Threat Model • Whiteboard – With all the stakeholders
  • 30. SACON 2020 Manual Threat Model • Threat Library – A list of all possible threats ▪ Attacks on Incomplete Mediation ▪ Attacks on Certificate Validation ▪ Privilege Escalation Attacks ▪ Attacks on Insecure Cryptography ▪ Attacks on Network Communications ▪ Attacks on Secrets ▪ Attacks on Weak Session Management ▪ Attacks on Web Interfaces ▪ Attacks on Web Services ▪ Attacks on Objects ▪ Injection Attacks ▪ Buffer Overflow Attacks ▪ File Upload Attacks ▪ Denial of Service Attacks ▪ Attacks on Installation Packages/Update ▪ Attacks on Security Misconfigurations ▪ Attacks on Audit Logs ▪ Attacks on Embedded Components ▪ Attacks on Datastores
  • 31. SACON 2020 Manual Threat Model ▪ Attacks on Incomplete Mediation ▪ Unrestricted access ▪ Authentication downgrade ▪ Authorization bypass ▪ Tampering through filesystem access ▪ Client bypass ▪ Process spoofing ▪ Weak access controls ▪ Capture/replay attacks ▪ Tampering in transit • Threat Library – A list of all possible threats
  • 32. SACON 2020 Manual Report Unique Threat Identifier Free Form Threat Identifier Element(s) involved in the threat Base Metrics (CVSSv3)  Base Metrics CVSSv3 vector   Detailed explanation of “use case” constructed to calculate the CVSSv3 score Threat Library Identifier, CWE  Technical description of the threat Risk Registry Index (If a risk registry exists for the product)   Threat Status: Known/Unknown Planned resolution  Technical Mitigation Business Mitigation  
  • 34. SACON 2020 Control to Threat Map • Instead of Threat Library Let us identify threats by using Control Cata • Example, for a threat Cross-Site Scripting Controls Threat Web Security Testing (DAST) Cross-site scripting Static analysis using a tool that is able to discover XSS issues in the languages utilized Cross-site scripting Perform test for reflected cross-site scripting. Cross-site scripting Perform test for stored cross-site scripting. Cross-site scripting A standard convention to mitigate these threats is agreed upon by the development team and is strictly enforced by coding conventions Cross-site scripting Penetration Test Cross-site scripting
  • 35. SACON 2020 The approach is • Scalable • Control-based • Developer centric • Effective • Secure
  • 36. SACON 2020 • Threat Model 101 • The big scalability question • Quick intro to Security Controls • A new control-based approach of threat modeling • Solution to scalability problems • A Case study • Future work Agenda
  • 37. SACON 2020 Key Insights 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach • STRIDE technique may be good in enumerating the threats however does not aid in developing countermeasures / mitigation plan • Attack Tree provides an overview about the attack surface at some level of abstraction which results in not capturing data essential for understanding the threat scenario. • Attack Library may provide information about the attack vectors and be suitable as checklist model, it may not contribute to the completeness we expect in the exercise.
  • 38. SACON 2020 Takeaways • Utilize a combination of each of these techniques to perform the various activities in the threat modelling process • Critical success factors for the threat modelling exercise lies in adopting a structured approach • Adopt flipped model : Strive for control centric approach 2. Critical success factors for the threat modelling exercise lies in adopting a structured approach 3. Adopt flipped model : Strive for control centric approach